SRX

Expand all | Collapse all

IPSEC between SRX and Cisco asa

Jump to Best Answer
  • 1.  IPSEC between SRX and Cisco asa

    Posted 09-12-2019 04:23
      |   view attached

    Hello,

     

    I would like to setup ipsec connection between SRX340 and Cisco asa firewall. Inside my network i have SRX directly connected via interconnect supplier (datacenter network) towards ISP. We are using their dedicated servers/srx/switches also we received a public range of 5.200.5.80/29. The firewall has reth0.100 as "internet" interface and the firewall itself has 5.200.5.81 as IP address. Then interfaces ge-0/0/7.1409 and ge-5/0/7.2409 are directly connected towards datacenter with private range. Also within my network i have different zones ot-application, ap-application etc... .

     

    Now i need to setup ipsec, do i need to use policy-based vpn or routing-based vpn?. I know that Cisco asa only support policy-based vpn. So in regarding SRX of having different zones, which one do i need the most to setup ipsec connection?. how do i implement this with combination of different zones?. Also do i need to create NAT exemption to exclude traffic from NAT operation"IPSEC does not work over NAT"?. Anyone has an example how to set this up or idea?.

     

     

    Zones:

    untrust -  ge-0/0/7.1409 and ge-5/0/7.2409 towards datacenter interconnect routers have private IP's

    trust - reth0.100  internet ("public range", source-NAT ip of the public range)

    ot-application - reth1.30

    ap-application - reth1.20

     

    i have attached a topology.

     

    thanks



  • 2.  RE: IPSEC between SRX and Cisco asa

    Posted 09-12-2019 07:27

    Hi Suli,

     

    Please find the KB article for configuring VPN between SRX and Cisco - https://kb.juniper.net/InfoCenter/index?page=content&id=KB28861&actp=METADATA

     

    Also, take a look at VPN configuration generator - https://support.juniper.net/support/tools/vpnconfig/

     

    Now i need to set up ipsec, do i need to use policy-based vpn or routing-based vpn?.
    A: You can implement either Route-based VPN or Policy-based VPN based upon your requirement.

     

    So in regarding SRX of having different zones, which one do i need the most to setup ipsec connection?. how do i implement this with
    combination of different zones?.
    A: You need to concentrate on the interface which is going to negotiate IKE in order to make the tunnel up. In your case, it is reth0.100 and it resides in the "trust" zone. The weird thing is you've given the zone name as trust for an internet-facing interface.


    Also do i need to create NAT exemption to exclude traffic from NAT operation"IPSEC does not work over NAT"?. Anyone has an example how to set this up or idea?.
    A: This situation comes when Initiator or Responder or both fall behind a NAT device.



  • 3.  RE: IPSEC between SRX and Cisco asa

    Posted 09-12-2019 09:52

    Hello,

     

    So in regarding SRX of having different zones, which one do i need the most to setup ipsec connection?. how do i implement this with
    combination of different zones?.
    A: You need to concentrate on the interface which is going to negotiate IKE in order to make the tunnel up. In your case, it is reth0.100 and it resides in the "trust" zone. The weird thing is you've given the zone name as trust for an internet-facing interface.

     

    we had also the same argument, but this is how it is delivered from datacenter, and we're trying to do other configuration with the current situation.

     

    Thank u for the explaination and links. But in mijn situation i am kind a confused how to configure policys for this. the reason is that i have different zones as inside. So in my situation trust 'internet' zone has been used as untrust/outside where reth0.100 ike negotiate, but what about the local private metwork zones, how do i tell the ipsec that this are my inside zones?.



  • 4.  RE: IPSEC between SRX and Cisco asa
    Best Answer

    Posted 09-12-2019 10:21

    Suli,

     

    If you're using policy based VPN, we will define policy like mentioned below. From the policy you can see that when traffic is originating from trust towards untrust matching particular source,destination and application, we are making it to pass through the tunnel using then "permit tunnel ipsec-vpn" statement.

     

    set security policies from-zone trust to-zone untrust policy vpn-tr-untr match source-address sunnyvale
    set security policies from-zone trust to-zone untrust policy vpn-tr-untr match destination-address chicago 
    set security policies from-zone trust to-zone untrust policy vpn-tr-untr match application any 
    set security policies from-zone trust to-zone untrust policy vpn-tr-untr then permit tunnel ipsec-vpn ike-vpn-chicago 

     

     

    For Route based VPN, we will be configuring traffic selectors to match the interesting traffic. Also, make sure you have security policies in place for the traffic to pass from trust zone to vpn zone.

     

    set security ipsec vpn SRX_A-to-SRX_B traffic-selector TS1 local-ip 192.168.10.0/24 remote-ip 192.168.0.0/16

     

     



  • 5.  RE: IPSEC between SRX and Cisco asa

    Posted 09-12-2019 11:08

    thank u again. i will try this out.